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AMENDMENTS TO THE CLAIMS 

Please amend the claims as follows. 

1 . (Currently Amended) A method of operating a directory server system comprising: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 

2. (Previously Presented) The method of claim 1, wherein the existing role entry is a nested role 
entry defining at least one other role. 

3. (Previously Presented) The method of claim 2, wherein the existing role entry has an 
attribute defining the at least one other role. 

4. (Previously Presented) The method of claim 1, wherein the role membership condition 
comprises a candidate user entry having an attribute designating the role defined by the 
existing role entry. 
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5. (Previously Presented) The method of claim 1, wherein the existing role entry has a role 
filter condition, and the role membership condition comprises one or more attributes of a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Currently Amended) The method of claim 1, wherein the first predefined rule comprises 
defining the existing role entry's associated scope as a subtree of a parent of the existing role 
entry in the tree structure. 

11. (Previously Presented) The method of claim 1, further comprising: 

d) responding to a request of whether a designated user entry has a given role by: 
dl) identifying a corresponding role entry corresponding to the given role; 
d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 

12. (Previously Presented) The method of claim 1, further comprising: 

d) responding to a request for any user entries having a given role by: 

dl) identifying a corresponding role entry corresponding to the given role; 
d2) scanning the tree to identify any user entries meeting the first condition in 
relation to the corresponding role entry; and 
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d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

13. (Previously Presented) The method of claim 1, further comprising: 

d) responding to a request for roles of a given user entry by: 
d 1 ) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

14. (Previously Presented) The method of claim 13, wherein the end condition comprises 
having performed said dl) through said d3) with substantially all the applicable candidate 
role entries. 

15. (Previously Presented) The method of claim 13, wherein the given user entry belongs to a 
subtree of a top suffix of the tree structure, said d2) is performed for each role entry 
belonging to the subtree of said top suffix, and said d3) is performed for each role entry 
belonging to any subtree of any top suffix of the tree structure. 

16. (Currently Amended) A directory server system comprising: 

a directory server interacting with entries in a tree structure, said tree structure 
comprising an existing role entry and a first user entry, wherein the existing role 
entry defines a role and has an associated scope in the tree structure based on the 
existing role entry's location in the tree structure according to a first predefined 
rule; 
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a role mechanism capable of attaching the existing role entry's role to the first user entry 
subject to a first condition comprising a role membership condition and the first 
user entry belonging to the associated scope; and 

said role mechanism further capable of attaching the existing [[rule]] role entry's role to a 
second user entry subject to a second condition comprising said role membership 
condition and the second user entry belonging to an extra scope identified by 
extra role data of the existing role entry, wherein the extra role data comprise an 
added attribute having a special attribute name and being associated with an 
attribute value identifying a designated location in the tree structure outside of the 
existing role entry's associated scope, and the extra scope is based on the 
designated location according to a second predefined rule. 

17. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry is a nested role entry defining at least one other role. 

18. (Previously Presented) The directory server system of claim 17, wherein the existing role 
entry has an attribute defining the at least one other role. 

19. (Previously Presented) The directory server system of claim 16, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

20. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of a candidate user entry meeting the role filter condition. 

21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The directory server system of claim 16, wherein the extra scope is 
defined as a subtree of the designated location. 
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25. (Currently Amended) The directory server system of claim 16, wherein the first predefined 
rule comprises defining the existing role entry's associated scope as a subtree of a parent of 
the existing role entry in the tree structure. 

26. (Previously Presented) The directory server system of claim 16, wherein the role mechanism 
is further capable of responding to a request of whether a designated user entry has a given 
role by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry, determining whether the corresponding role entry 
has extra role data defining an extra scope; and 

iv) if the corresponding role entry has extra role data, determining whether the 
designated user entry meets the second condition in relation to the 
corresponding role entry. 

27. (Previously Presented) The directory server system of claim 16, wherein the role mechanism 
is further capable of responding to a request for any user entries having a given role by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) scanning the tree to identify any user entries meeting the first condition in relation 
to the corresponding role entry; and 

iii) if the corresponding role entry has extra data identifying an extra scope, scanning 
the tree to identify any user entries meeting the second condition in relation to the 
corresponding role entry. 

28. (Previously Presented) The directory server system of claim 16, wherein the role mechanism 
is further capable of responding to a request for roles of a given user entry by: 

i) identifying a candidate role entry; 

ii) determining whether the given user entry meets the first condition in relation to 
the candidate role entry; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entry and the determined role entry has extra data identifying an extra scope, 
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determining whether the given user entry meets the second condition in relation 
to the candidate role entry; and 
iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Previously Presented) The directory server system of claim 28, wherein the end condition 
comprises having performed said i) through said iii) with substantially all the applicable 
candidate role entries. 

30. (Previously Presented) The directory server system of claim 28, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said ii) is performed for each 
role entry belonging to the subtree of said top suffix, and said iii) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 

3 1 . (Currently Amended) A computer readable medium having stored thereon instructions for: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 
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32. (Previously Presented) The computer readable medium of claim 31, wherein the existing 
role entry is a nested role entry defining at least one other role. 

33. (Previously Presented) The computer readable medium of claim 32, wherein the existing 
role entry has an attribute defining the at least one other role. 

34. (Previously Presented) The computer readable medium of claim 31, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry, 

35. (Previously Presented) The computer readable medium of claim 31, wherein the existing 
role entry has a role filter condition, and the role membership condition comprises one or 
more attributes of a candidate user entry meeting the role filter condition. 

36. (Original) The computer readable medium of claim 35, wherein the existing role entry has 
an attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 

39. (Previously Presented) The computer readable medium of claim 31, wherein the extra scope 
is defined as a subtree of the designated location. 

40. (Currently Amended) The computer readable medium of claim 31, wherein the first 
predefined rule comprises defining the existing role entry's associated scope as a subtree of a 
parent of the existing role entry in the tree structure. 

41. (Previously Presented) The computer readable medium of claim 31, further comprising 
instructions for: 

d) responding to a request of whether a designated user entry has a given role by: 
dl) identifying a corresponding role entry corresponding to the given role; 
d2) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 



8 



Application No.: 10/613,660 



Docket No.: 03226/500001; P7528 



d3) if the designated user entry does not meet the first condition in relation to 
the corresponding role entry, determining whether the corresponding role 
entry has extra role data identifying an extra scope; and 

d4) if the corresponding role entry has extra role data, determining whether 
the designated user entry meets the second condition in relation to the 
corresponding role entry. 

42. (Previously Presented) The computer readable medium of claim 31, further comprising 
instructions for: 

d) responding to a request for any user entries having a given role by: 

dl) identifying a corresponding role entry corresponding to the given role; 
d2) scanning the tree to identify any user entries meeting the first condition in 

relation to the corresponding role entry; and 
d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

43. (Previously Presented) The computer readable medium of claim 31, further comprising 
instructions for: 

d) responding to a request for roles of a given user entry by: 
dl) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

44. (Previously Presented) The computer readable medium of claim 43, wherein the end 
condition comprises having performed said dl) through said d3) with substantially all the 
applicable candidate role entries. 
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45. (Previously Presented) The computer readable medium of claim 43, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said d2) is performed for each 
role entry belonging to the subtree of said top suffix, and said d3) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 
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